As of today, HTTPS is the default for the OpenShift master, the
OpenShift command-line client, and the OpenShift web console.|
When running in HTTPS, "openshift start" now does the following:
1. Generates a certificate authority
2. Creates a self-signed certificate for the API server
3. Creates client certificates for system components to use when communicating with the API
4. Creates client certificates and a .kubeconfig file for an admin user
The generated certificates are placed under "openshift.local.certificates" (changeable using the "--cert-dir" parameter).
Why is this awesome?
It makes sure we have the wiring in place for all parts of the system to be able to speak securely to each other, and lets us start turning on authentication and authorization
How do I access the OpenShift master?
The default url is now https://<ip>:8443 (available locally as https://localhost:8443)
Why does osc, curl, my web browser, and <my favorite tool> complain about SSL certificates
"openshift start" creates a certificate to serve on https. API clients need to include the root certificate bundle in the list of trusted certs. This is located in $CERT_DIR/master/root.crt
1. To get your browser working:
- add an exception to trust the generated certificate the first time you access the master.
2. To get osc working:
- Preferred: use the generated admin user by passing --kubeconfig=$CERT_DIR/admin/.kubeconfig or setting KUBECONFIG=$CERT_DIR/admin/.kubeconfig (make sure you have read access to the files under $CERT_DIR/admin)
- Acceptable: pass "--certificate-authority=$CERT_DIR/master/root.crt"
- Bad (don't get used to doing this): pass "--insecure-skip-tls-verify=true"
3. To get curl working:
- Preferred: pass "--cacert $CERT_DIR/master/root.crt" or set CURL_CA_BUNDLE=$CERT_DIR/master/root.crt
- Bad (don't get used to doing this): pass "--insecure"
How do I go back to HTTP?
Why would you even ask that? You're making the EFF cry :-(
If you really need to, you can do the following to get the old default behaviour back:
openshift start: pass "--master=http://:8080"
osc: pass "--server=http://localhost:8080"
Do the tests use HTTPS?
Yes, when running tests (test-end-to-end.sh, test-cmd.sh, etc), the defaults for scheme and port are "https" and "8443", respectively.
Set the environment variables API_SCHEME and API_PORT to override the defaults.
If you have any questions, or run into issues, please let me know.